From 878f5a20b6b1bda4c03fca28a39250ffe846619a Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Fri, 25 Feb 2022 12:58:35 +0100 Subject: [PATCH 01/16] adding system topic --- .../systemTopics/.bicep/nested_cuaId.bicep | 1 + .../.bicep/nested_privateEndpoint.bicep | 52 ++++++ .../systemTopics/.bicep/nested_rbac.bicep | 34 ++++ .../systemTopics/.parameters/parameters.json | 40 +++++ .../systemTopics/deploy.bicep | 150 ++++++++++++++++++ .../systemTopics/readme.md | 127 +++++++++++++++ .../systemTopics/version.json | 4 + 7 files changed, 408 insertions(+) create mode 100644 arm/Microsoft.EventGrid/systemTopics/.bicep/nested_cuaId.bicep create mode 100644 arm/Microsoft.EventGrid/systemTopics/.bicep/nested_privateEndpoint.bicep create mode 100644 arm/Microsoft.EventGrid/systemTopics/.bicep/nested_rbac.bicep create mode 100644 arm/Microsoft.EventGrid/systemTopics/.parameters/parameters.json create mode 100644 arm/Microsoft.EventGrid/systemTopics/deploy.bicep create mode 100644 arm/Microsoft.EventGrid/systemTopics/readme.md create mode 100644 arm/Microsoft.EventGrid/systemTopics/version.json diff --git a/arm/Microsoft.EventGrid/systemTopics/.bicep/nested_cuaId.bicep b/arm/Microsoft.EventGrid/systemTopics/.bicep/nested_cuaId.bicep new file mode 100644 index 0000000000..8b13789179 --- /dev/null +++ b/arm/Microsoft.EventGrid/systemTopics/.bicep/nested_cuaId.bicep @@ -0,0 +1 @@ + diff --git a/arm/Microsoft.EventGrid/systemTopics/.bicep/nested_privateEndpoint.bicep b/arm/Microsoft.EventGrid/systemTopics/.bicep/nested_privateEndpoint.bicep new file mode 100644 index 0000000000..82ab478cd6 --- /dev/null +++ b/arm/Microsoft.EventGrid/systemTopics/.bicep/nested_privateEndpoint.bicep @@ -0,0 +1,52 @@ +param privateEndpointResourceId string +param privateEndpointVnetLocation string +param privateEndpointObj object +param tags object + +var privateEndpointResourceName = last(split(privateEndpointResourceId, '/')) +var privateEndpoint_var = { + name: (contains(privateEndpointObj, 'name') ? (empty(privateEndpointObj.name) ? '${privateEndpointResourceName}-${privateEndpointObj.service}' : privateEndpointObj.name) : '${privateEndpointResourceName}-${privateEndpointObj.service}') + subnetResourceId: privateEndpointObj.subnetResourceId + service: [ + privateEndpointObj.service + ] + privateDnsZoneResourceIds: (contains(privateEndpointObj, 'privateDnsZoneResourceIds') ? (empty(privateEndpointObj.privateDnsZoneResourceIds) ? [] : privateEndpointObj.privateDnsZoneResourceIds) : []) + customDnsConfigs: (contains(privateEndpointObj, 'customDnsConfigs') ? (empty(privateEndpointObj.customDnsConfigs) ? null : privateEndpointObj.customDnsConfigs) : null) +} + +resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { + name: privateEndpoint_var.name + location: privateEndpointVnetLocation + tags: tags + properties: { + privateLinkServiceConnections: [ + { + name: privateEndpoint_var.name + properties: { + privateLinkServiceId: privateEndpointResourceId + groupIds: privateEndpoint_var.service + } + } + ] + manualPrivateLinkServiceConnections: [] + subnet: { + id: privateEndpoint_var.subnetResourceId + } + customDnsConfigs: privateEndpoint_var.customDnsConfigs + } +} + +resource privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-02-01' = if (!empty(privateEndpoint_var.privateDnsZoneResourceIds)) { + name: '${privateEndpoint_var.name}/default' + properties: { + privateDnsZoneConfigs: [for j in range(0, length(privateEndpoint_var.privateDnsZoneResourceIds)): { + name: last(split(privateEndpoint_var.privateDnsZoneResourceIds[j], '/')) + properties: { + privateDnsZoneId: privateEndpoint_var.privateDnsZoneResourceIds[j] + } + }] + } + dependsOn: [ + privateEndpoint + ] +} diff --git a/arm/Microsoft.EventGrid/systemTopics/.bicep/nested_rbac.bicep b/arm/Microsoft.EventGrid/systemTopics/.bicep/nested_rbac.bicep new file mode 100644 index 0000000000..59b68eba65 --- /dev/null +++ b/arm/Microsoft.EventGrid/systemTopics/.bicep/nested_rbac.bicep @@ -0,0 +1,34 @@ +param principalIds array +param roleDefinitionIdOrName string +param resourceId string + +var builtInRoleNames = { + 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'EventGrid Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1e241071-0855-49ea-94dc-649edcd759de') + 'EventGrid Data Sender': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd5a91429-5739-47e2-a06b-3470a27159e7') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + +resource eventGrid 'Microsoft.EventGrid/topics@2020-06-01' existing = { + name: last(split(resourceId, '/')) +} + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = [for principalId in principalIds: { + name: guid(eventGrid.name, principalId, roleDefinitionIdOrName) + properties: { + roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName + principalId: principalId + } + scope: eventGrid +}] diff --git a/arm/Microsoft.EventGrid/systemTopics/.parameters/parameters.json b/arm/Microsoft.EventGrid/systemTopics/.parameters/parameters.json new file mode 100644 index 0000000000..dcbe654ee4 --- /dev/null +++ b/arm/Microsoft.EventGrid/systemTopics/.parameters/parameters.json @@ -0,0 +1,40 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "<>-az-egtn-x-001" + }, + "source": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<>azsax001" + }, + "topicType": { + "value": "Microsoft.Storage/storageAccounts" + }, + "roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "<>" + ] + } + ] + }, + "diagnosticLogsRetentionInDays": { + "value": 7 + }, + "diagnosticStorageAccountId": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<>azsax001" + }, + "diagnosticWorkspaceId": { + "value": "/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<>-az-law-x-001" + }, + "diagnosticEventHubAuthorizationRuleId": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey" + }, + "diagnosticEventHubName": { + "value": "adp-<>-az-evh-x-001" + } + } +} diff --git a/arm/Microsoft.EventGrid/systemTopics/deploy.bicep b/arm/Microsoft.EventGrid/systemTopics/deploy.bicep new file mode 100644 index 0000000000..a15ca8b390 --- /dev/null +++ b/arm/Microsoft.EventGrid/systemTopics/deploy.bicep @@ -0,0 +1,150 @@ +@description('Required. The name of the Event Grid Topic') +param name string + +@description('Optional. Location for all Resources.') +param location string = resourceGroup().location + +@description('Required. Source for the system topic.') +param source string + +@description('Required. TopicType for the system topic.') +param topicType string + +@description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') +@minValue(0) +@maxValue(365) +param diagnosticLogsRetentionInDays int = 365 + +@description('Optional. Resource ID of the diagnostic storage account.') +param diagnosticStorageAccountId string = '' + +@description('Optional. Resource ID of the diagnostic log analytics workspace.') +param diagnosticWorkspaceId string = '' + +@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') +param diagnosticEventHubAuthorizationRuleId string = '' + +@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') +param diagnosticEventHubName string = '' + +@description('Optional. Configuration Details for private endpoints.') +param privateEndpoints array = [] + +@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +param roleAssignments array = [] + +@allowed([ + 'CanNotDelete' + 'NotSpecified' + 'ReadOnly' +]) +@description('Optional. Specify the type of lock.') +param lock string = 'NotSpecified' + +@description('Optional. Tags of the resource.') +param tags object = {} + +@description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered') +param cuaId string = '' + +@description('Optional. The name of logs that will be streamed.') +@allowed([ + 'DeliveryFailures' + 'PublishFailures' +]) +param logsToEnable array = [ + 'DeliveryFailures' + 'PublishFailures' +] + +@description('Optional. The name of metrics that will be streamed.') +@allowed([ + 'AllMetrics' +]) +param metricsToEnable array = [ + 'AllMetrics' +] + +var diagnosticsLogs = [for log in logsToEnable: { + category: log + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } +}] + +var diagnosticsMetrics = [for metric in metricsToEnable: { + category: metric + timeGrain: null + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } +}] + +module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { + name: 'pid-${cuaId}' + params: {} +} + +resource eventGrid 'Microsoft.EventGrid/systemTopics@2021-12-01' = { + name: name + location: location + tags: tags + properties: { + source: source + topicType: topicType + } +} + +resource eventGrid_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { + name: '${eventGrid.name}-${lock}-lock' + properties: { + level: lock + notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + } + scope: eventGrid +} + +resource eventGrid_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { + name: '${eventGrid.name}-diagnosticSettings' + properties: { + storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null + workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null + eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null + eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null + metrics: diagnosticsMetrics + logs: diagnosticsLogs + } + scope: eventGrid +} + +module eventGrid_privateEndpoints '.bicep/nested_privateEndpoint.bicep' = [for (privateEndpoint, index) in privateEndpoints: if (!empty(privateEndpoints)) { + name: '${uniqueString(deployment().name, location)}-EventGrid-PrivateEndpoint-${index}' + params: { + privateEndpointResourceId: eventGrid.id + privateEndpointVnetLocation: (empty(privateEndpoints) ? 'dummy' : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location) + privateEndpointObj: privateEndpoint + tags: tags + } +}] + +module eventGrid_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: '${uniqueString(deployment().name, location)}-EventGrid-Rbac-${index}' + params: { + principalIds: roleAssignment.principalIds + roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName + resourceId: eventGrid.id + } +}] + +@description('The name of the event grid system topic') +output name string = eventGrid.name + +@description('The resource ID of the event grid') +output resourceId string = eventGrid.id + +@description('The name of the resource group the event grid was deployed into') +output resourceGroupName string = resourceGroup().name diff --git a/arm/Microsoft.EventGrid/systemTopics/readme.md b/arm/Microsoft.EventGrid/systemTopics/readme.md new file mode 100644 index 0000000000..1ff8cc0782 --- /dev/null +++ b/arm/Microsoft.EventGrid/systemTopics/readme.md @@ -0,0 +1,127 @@ +# Event Grid Topics `[Microsoft.EventGrid/systemTopics]` + +This module deploys an event grid topic. + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | 2017-04-01 | +| `Microsoft.Authorization/roleAssignments` | 2021-04-01-preview | +| `Microsoft.EventGrid/systemTopics` | 2021-12-01 | +| `Microsoft.Insights/diagnosticSettings` | 2021-05-01-preview | +| `Microsoft.Network/privateEndpoints` | 2021-05-01 | +| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | 2021-02-01 | + +## Parameters + +| Parameter Name | Type | Default Value | Possible Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | +| `diagnosticEventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `diagnosticEventHubName` | string | | | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource ID of the diagnostic storage account. | +| `diagnosticWorkspaceId` | string | | | Optional. Resource ID of the diagnostic log analytics workspace. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all Resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `logsToEnable` | array | `[DeliveryFailures, PublishFailures]` | `[DeliveryFailures, PublishFailures]` | Optional. The name of logs that will be streamed. | +| `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. | +| `name` | string | | | Required. The name of the Event Grid Topic | +| `privateEndpoints` | array | `[]` | | Optional. Configuration Details for private endpoints. | +| `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `source` | string | | | Required. Source for the system topic. | +| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `topicType` | string | | | Required. TopicType for the system topic. | + +### Parameter Usage: `privateEndpoints` + +To use Private Endpoint the following dependencies must be deployed: + +- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module. +- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information. + +```json +"privateEndpoints": { + "value": [ + // Example showing all available fields + { + "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "service": "blob", + "privateDnsZoneResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified + "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net" + ], + "customDnsConfigs": [ // Optional + { + "fqdn": "customname.test.local", + "ipAddresses": [ + "10.10.10.10" + ] + } + ] + }, + // Example showing only mandatory fields + { + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001", + "service": "file" + } + ] +} +``` + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the event grid system topic | +| `resourceGroupName` | string | The name of the resource group the event grid was deployed into | +| `resourceId` | string | The resource ID of the event grid | + +## Template references + +- [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) +- [Privateendpoints](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints) +- [Privateendpoints/Privatednszonegroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/privateEndpoints/privateDnsZoneGroups) +- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) +- [Systemtopics](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventGrid/2021-12-01/systemTopics) diff --git a/arm/Microsoft.EventGrid/systemTopics/version.json b/arm/Microsoft.EventGrid/systemTopics/version.json new file mode 100644 index 0000000000..56f8d9ca40 --- /dev/null +++ b/arm/Microsoft.EventGrid/systemTopics/version.json @@ -0,0 +1,4 @@ +{ + "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", + "version": "0.4" +} From 01f098aedc3522b51a8abebbd9cdb974a5ee92c0 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Fri, 25 Feb 2022 13:00:43 +0100 Subject: [PATCH 02/16] add pipeline --- .../workflows/ms.eventgrid.systemtopics.yml | 135 ++++++++++++++++++ 1 file changed, 135 insertions(+) create mode 100644 .github/workflows/ms.eventgrid.systemtopics.yml diff --git a/.github/workflows/ms.eventgrid.systemtopics.yml b/.github/workflows/ms.eventgrid.systemtopics.yml new file mode 100644 index 0000000000..23587b15c8 --- /dev/null +++ b/.github/workflows/ms.eventgrid.systemtopics.yml @@ -0,0 +1,135 @@ +name: 'EventGrid: System Topics' + +on: + workflow_dispatch: + inputs: + removeDeployment: + type: boolean + description: 'Remove deployed module' + required: false + default: 'true' + prerelease: + type: boolean + description: 'Publish prerelease module' + required: false + default: 'false' + push: + branches: + - main + paths: + - '.github/actions/templates/**' + - '.github/workflows/ms.eventgrid.systemtopics.yml' + - 'arm/Microsoft.EventGrid/systemtopics/**' + - '!*/**/readme.md' + - 'utilities/pipelines/**' + - '!utilities/pipelines/dependencies/**' + +env: + modulePath: 'arm/Microsoft.EventGrid/systemtopics' + workflowPath: '.github/workflows/ms.eventgrid.systemtopics.yml' + AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} + ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' + ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' + +jobs: + ############################ + # SET INPUT PARAMETERS # + ############################ + job_set_workflow_param: + runs-on: ubuntu-20.04 + name: 'Set input parameters to output variables' + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Set input parameters' + id: get-workflow-param + uses: ./.github/actions/templates/getWorkflowInput + with: + workflowPath: '${{ env.workflowPath}}' + outputs: + removeDeployment: ${{ steps.get-workflow-param.outputs.removeDeployment }} + + #################### + # Pester Tests # + #################### + job_module_pester_validation: + runs-on: ubuntu-20.04 + name: 'Pester tests' + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Run tests' + uses: ./.github/actions/templates/validateModulePester + with: + modulePath: '${{ env.modulePath }}' + + #################### + # Deployment tests # + #################### + job_module_deploy_validation: + runs-on: ubuntu-20.04 + name: 'Deployment tests' + needs: + - job_set_workflow_param + - job_module_pester_validation + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: Set environment variables + uses: deep-mm/set-variables@v1.0 + with: + variableFileName: 'global.variables' + - name: 'Using parameter file [${{ matrix.parameterFilePaths }}]' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: '${{ env.modulePath }}/deploy.bicep' + parameterFilePath: '${{ env.modulePath }}/.parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.resourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ needs.job_set_workflow_param.outputs.removeDeployment }}' + + ############### + # PUBLISH # + ############### + job_publish_module: + name: 'Publish module' + if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' + runs-on: ubuntu-20.04 + needs: + - job_set_workflow_param + - job_module_deploy_validation + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: Set environment variables + uses: deep-mm/set-variables@v1.0 + with: + variableFileName: 'global.variables' + - name: 'Publish module' + uses: ./.github/actions/templates/publishModule + with: + templateFilePath: '${{ env.modulePath }}/deploy.bicep' + templateSpecsRGName: '${{ env.templateSpecsRGName }}' + templateSpecsRGLocation: '${{ env.templateSpecsRGLocation }}' + templateSpecsDescription: '${{ env.templateSpecsDescription }}' + templateSpecsDoPublish: '${{ env.templateSpecsDoPublish }}' + bicepRegistryName: '${{ env.bicepRegistryName }}' + bicepRegistryRGName: '${{ env.bicepRegistryRGName }}' + bicepRegistryRgLocation: '${{ env.bicepRegistryRgLocation }}' + bicepRegistryDoPublish: '${{ env.bicepRegistryDoPublish }}' From f0385ef91c95bb3fa75abd53565ae8f27a9519c2 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Fri, 25 Feb 2022 14:35:27 +0100 Subject: [PATCH 03/16] add trigger --- .github/workflows/ms.eventgrid.systemtopics.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ms.eventgrid.systemtopics.yml b/.github/workflows/ms.eventgrid.systemtopics.yml index 23587b15c8..17b2fdacdf 100644 --- a/.github/workflows/ms.eventgrid.systemtopics.yml +++ b/.github/workflows/ms.eventgrid.systemtopics.yml @@ -16,6 +16,7 @@ on: push: branches: - main + - users/rahalan/AddSystemTopics paths: - '.github/actions/templates/**' - '.github/workflows/ms.eventgrid.systemtopics.yml' From 0d4891516baa4e7cab9a6b59b081ad93aab74cfc Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Fri, 25 Feb 2022 14:47:45 +0100 Subject: [PATCH 04/16] fix --- .github/workflows/ms.eventgrid.systemtopics.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ms.eventgrid.systemtopics.yml b/.github/workflows/ms.eventgrid.systemtopics.yml index 17b2fdacdf..eb46b074be 100644 --- a/.github/workflows/ms.eventgrid.systemtopics.yml +++ b/.github/workflows/ms.eventgrid.systemtopics.yml @@ -20,13 +20,13 @@ on: paths: - '.github/actions/templates/**' - '.github/workflows/ms.eventgrid.systemtopics.yml' - - 'arm/Microsoft.EventGrid/systemtopics/**' + - 'arm/Microsoft.EventGrid/systemTopics/**' - '!*/**/readme.md' - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' env: - modulePath: 'arm/Microsoft.EventGrid/systemtopics' + modulePath: 'arm/Microsoft.EventGrid/systemTopics' workflowPath: '.github/workflows/ms.eventgrid.systemtopics.yml' AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' From 1e1ae6153fa37c2a6c35319191cb87b0bc06c45a Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Fri, 25 Feb 2022 15:37:29 +0100 Subject: [PATCH 05/16] fix --- .../systemTopics/.parameters/parameters.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.EventGrid/systemTopics/.parameters/parameters.json b/arm/Microsoft.EventGrid/systemTopics/.parameters/parameters.json index dcbe654ee4..ff98e8dbd8 100644 --- a/arm/Microsoft.EventGrid/systemTopics/.parameters/parameters.json +++ b/arm/Microsoft.EventGrid/systemTopics/.parameters/parameters.json @@ -9,7 +9,7 @@ "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<>azsax001" }, "topicType": { - "value": "Microsoft.Storage/storageAccounts" + "value": "Microsoft.Storage.StorageAccounts" }, "roleAssignments": { "value": [ From b1585bd1e1264b748b99ad478f9dc0623a8ad87f Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Fri, 25 Feb 2022 15:54:14 +0100 Subject: [PATCH 06/16] fix --- arm/Microsoft.EventGrid/systemTopics/deploy.bicep | 2 -- 1 file changed, 2 deletions(-) diff --git a/arm/Microsoft.EventGrid/systemTopics/deploy.bicep b/arm/Microsoft.EventGrid/systemTopics/deploy.bicep index a15ca8b390..b0e591bca7 100644 --- a/arm/Microsoft.EventGrid/systemTopics/deploy.bicep +++ b/arm/Microsoft.EventGrid/systemTopics/deploy.bicep @@ -50,11 +50,9 @@ param cuaId string = '' @description('Optional. The name of logs that will be streamed.') @allowed([ 'DeliveryFailures' - 'PublishFailures' ]) param logsToEnable array = [ 'DeliveryFailures' - 'PublishFailures' ] @description('Optional. The name of metrics that will be streamed.') From 33bba8601d0b0e7c67c2397a0a758986f23dc001 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Fri, 25 Feb 2022 16:21:02 +0100 Subject: [PATCH 07/16] test --- .../systemTopics/.parameters/parameters.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.EventGrid/systemTopics/.parameters/parameters.json b/arm/Microsoft.EventGrid/systemTopics/.parameters/parameters.json index ff98e8dbd8..46728a6924 100644 --- a/arm/Microsoft.EventGrid/systemTopics/.parameters/parameters.json +++ b/arm/Microsoft.EventGrid/systemTopics/.parameters/parameters.json @@ -3,7 +3,7 @@ "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "<>-az-egtn-x-001" + "value": "<>-az-egstn-x-001" }, "source": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<>azsax001" From e3f617127f6b604b3b8f4c42d87277cf56486602 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Fri, 25 Feb 2022 16:54:26 +0100 Subject: [PATCH 08/16] fix --- arm/Microsoft.EventGrid/systemTopics/.bicep/nested_rbac.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.EventGrid/systemTopics/.bicep/nested_rbac.bicep b/arm/Microsoft.EventGrid/systemTopics/.bicep/nested_rbac.bicep index 59b68eba65..7ef6b9d8ff 100644 --- a/arm/Microsoft.EventGrid/systemTopics/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.EventGrid/systemTopics/.bicep/nested_rbac.bicep @@ -20,7 +20,7 @@ var builtInRoleNames = { 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') } -resource eventGrid 'Microsoft.EventGrid/topics@2020-06-01' existing = { +resource eventGrid 'Microsoft.EventGrid/systemTopics@2021-12-01' existing = { name: last(split(resourceId, '/')) } From 026f3d950a946a6cdd403cb33d88b4d5da4d9459 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Sat, 26 Feb 2022 09:25:39 +0100 Subject: [PATCH 09/16] add identities --- .../systemTopics/deploy.bicep | 14 ++++++++++++++ arm/Microsoft.EventGrid/systemTopics/readme.md | 17 ++++++++++++++++- 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/arm/Microsoft.EventGrid/systemTopics/deploy.bicep b/arm/Microsoft.EventGrid/systemTopics/deploy.bicep index b0e591bca7..5a2e4d76e2 100644 --- a/arm/Microsoft.EventGrid/systemTopics/deploy.bicep +++ b/arm/Microsoft.EventGrid/systemTopics/deploy.bicep @@ -41,12 +41,25 @@ param roleAssignments array = [] @description('Optional. Specify the type of lock.') param lock string = 'NotSpecified' +@description('Optional. Enables system assigned managed identity on the resource.') +param systemAssignedIdentity bool = false + +@description('Optional. The ID(s) to assign to the resource.') +param userAssignedIdentities object = {} + @description('Optional. Tags of the resource.') param tags object = {} @description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered') param cuaId string = '' +var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') + +var identity = identityType != 'None' ? { + type: identityType + userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +} : null + @description('Optional. The name of logs that will be streamed.') @allowed([ 'DeliveryFailures' @@ -90,6 +103,7 @@ module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { resource eventGrid 'Microsoft.EventGrid/systemTopics@2021-12-01' = { name: name location: location + identity: identity tags: tags properties: { source: source diff --git a/arm/Microsoft.EventGrid/systemTopics/readme.md b/arm/Microsoft.EventGrid/systemTopics/readme.md index 1ff8cc0782..bbb5445c1a 100644 --- a/arm/Microsoft.EventGrid/systemTopics/readme.md +++ b/arm/Microsoft.EventGrid/systemTopics/readme.md @@ -25,14 +25,16 @@ This module deploys an event grid topic. | `diagnosticWorkspaceId` | string | | | Optional. Resource ID of the diagnostic log analytics workspace. | | `location` | string | `[resourceGroup().location]` | | Optional. Location for all Resources. | | `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | -| `logsToEnable` | array | `[DeliveryFailures, PublishFailures]` | `[DeliveryFailures, PublishFailures]` | Optional. The name of logs that will be streamed. | +| `logsToEnable` | array | `[DeliveryFailures]` | `[DeliveryFailures]` | Optional. The name of logs that will be streamed. | | `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. | | `name` | string | | | Required. The name of the Event Grid Topic | | `privateEndpoints` | array | `[]` | | Optional. Configuration Details for private endpoints. | | `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | `source` | string | | | Required. Source for the system topic. | +| `systemAssignedIdentity` | bool | | | Optional. Enables system assigned managed identity on the resource. | | `tags` | object | `{object}` | | Optional. Tags of the resource. | | `topicType` | string | | | Required. TopicType for the system topic. | +| `userAssignedIdentities` | object | `{object}` | | Optional. The ID(s) to assign to the resource. | ### Parameter Usage: `privateEndpoints` @@ -109,6 +111,19 @@ Tag names and tag values can be provided as needed. A tag can be left without a } ``` +### Parameter Usage: `userAssignedIdentities` + +You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: + +```json +"userAssignedIdentities": { + "value": { + "/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, + "/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} + } +}, +``` + ## Outputs | Output Name | Type | Description | From 55074f2e141314f31e4a65386b389daf9c91cd73 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Sat, 26 Feb 2022 09:35:14 +0100 Subject: [PATCH 10/16] final --- .github/workflows/ms.eventgrid.systemtopics.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ms.eventgrid.systemtopics.yml b/.github/workflows/ms.eventgrid.systemtopics.yml index eb46b074be..b3f15b5c78 100644 --- a/.github/workflows/ms.eventgrid.systemtopics.yml +++ b/.github/workflows/ms.eventgrid.systemtopics.yml @@ -16,7 +16,6 @@ on: push: branches: - main - - users/rahalan/AddSystemTopics paths: - '.github/actions/templates/**' - '.github/workflows/ms.eventgrid.systemtopics.yml' From a0944ffa2a3208df03a04be417366c509e9b9bea Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Mon, 28 Feb 2022 10:33:00 +0100 Subject: [PATCH 11/16] add 'min.parameters.json', --- .github/workflows/ms.eventgrid.systemtopics.yml | 2 +- .../systemTopics/.parameters/min.parameters.json | 15 +++++++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) create mode 100644 arm/Microsoft.EventGrid/systemTopics/.parameters/min.parameters.json diff --git a/.github/workflows/ms.eventgrid.systemtopics.yml b/.github/workflows/ms.eventgrid.systemtopics.yml index b3f15b5c78..1fe703b874 100644 --- a/.github/workflows/ms.eventgrid.systemtopics.yml +++ b/.github/workflows/ms.eventgrid.systemtopics.yml @@ -81,7 +81,7 @@ jobs: strategy: fail-fast: false matrix: - parameterFilePaths: ['parameters.json'] + parameterFilePaths: ['min.parameters.json', 'parameters.json'] steps: - name: 'Checkout' uses: actions/checkout@v2 diff --git a/arm/Microsoft.EventGrid/systemTopics/.parameters/min.parameters.json b/arm/Microsoft.EventGrid/systemTopics/.parameters/min.parameters.json new file mode 100644 index 0000000000..87be2f37f1 --- /dev/null +++ b/arm/Microsoft.EventGrid/systemTopics/.parameters/min.parameters.json @@ -0,0 +1,15 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "<>-az-egstn-x-002" + }, + "source": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<>azsax001" + }, + "topicType": { + "value": "Microsoft.Storage.StorageAccounts" + } + } +} From daeba397869216d0da538e7b3f27d10f57d285d3 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Mon, 28 Feb 2022 10:35:00 +0100 Subject: [PATCH 12/16] update --- .../systemTopics/deploy.bicep | 22 +++++++++---------- .../systemTopics/readme.md | 4 ++-- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/arm/Microsoft.EventGrid/systemTopics/deploy.bicep b/arm/Microsoft.EventGrid/systemTopics/deploy.bicep index 5a2e4d76e2..9b20616dbe 100644 --- a/arm/Microsoft.EventGrid/systemTopics/deploy.bicep +++ b/arm/Microsoft.EventGrid/systemTopics/deploy.bicep @@ -100,7 +100,7 @@ module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { params: {} } -resource eventGrid 'Microsoft.EventGrid/systemTopics@2021-12-01' = { +resource systemTopic 'Microsoft.EventGrid/systemTopics@2021-12-01' = { name: name location: location identity: identity @@ -112,16 +112,16 @@ resource eventGrid 'Microsoft.EventGrid/systemTopics@2021-12-01' = { } resource eventGrid_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { - name: '${eventGrid.name}-${lock}-lock' + name: '${systemTopic.name}-${lock}-lock' properties: { level: lock notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } - scope: eventGrid + scope: systemTopic } resource eventGrid_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: '${eventGrid.name}-diagnosticSettings' + name: '${systemTopic.name}-diagnosticSettings' properties: { storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null @@ -130,13 +130,13 @@ resource eventGrid_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@202 metrics: diagnosticsMetrics logs: diagnosticsLogs } - scope: eventGrid + scope: systemTopic } module eventGrid_privateEndpoints '.bicep/nested_privateEndpoint.bicep' = [for (privateEndpoint, index) in privateEndpoints: if (!empty(privateEndpoints)) { name: '${uniqueString(deployment().name, location)}-EventGrid-PrivateEndpoint-${index}' params: { - privateEndpointResourceId: eventGrid.id + privateEndpointResourceId: systemTopic.id privateEndpointVnetLocation: (empty(privateEndpoints) ? 'dummy' : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location) privateEndpointObj: privateEndpoint tags: tags @@ -148,15 +148,15 @@ module eventGrid_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) params: { principalIds: roleAssignment.principalIds roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - resourceId: eventGrid.id + resourceId: systemTopic.id } }] @description('The name of the event grid system topic') -output name string = eventGrid.name +output name string = systemTopic.name -@description('The resource ID of the event grid') -output resourceId string = eventGrid.id +@description('The resource ID of the event grid system topic') +output resourceId string = systemTopic.id -@description('The name of the resource group the event grid was deployed into') +@description('The name of the resource group the event grid system topic was deployed into') output resourceGroupName string = resourceGroup().name diff --git a/arm/Microsoft.EventGrid/systemTopics/readme.md b/arm/Microsoft.EventGrid/systemTopics/readme.md index bbb5445c1a..b88c44c450 100644 --- a/arm/Microsoft.EventGrid/systemTopics/readme.md +++ b/arm/Microsoft.EventGrid/systemTopics/readme.md @@ -129,8 +129,8 @@ You can specify multiple user assigned identities to a resource by providing add | Output Name | Type | Description | | :-- | :-- | :-- | | `name` | string | The name of the event grid system topic | -| `resourceGroupName` | string | The name of the resource group the event grid was deployed into | -| `resourceId` | string | The resource ID of the event grid | +| `resourceGroupName` | string | The name of the resource group the event grid system topic was deployed into | +| `resourceId` | string | The resource ID of the event grid system topic | ## Template references From 1005b80ca3863be8d290342a74e53c7a780f7ea9 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Mon, 28 Feb 2022 10:36:18 +0100 Subject: [PATCH 13/16] update --- .../systemTopics/.bicep/nested_rbac.bicep | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/arm/Microsoft.EventGrid/systemTopics/.bicep/nested_rbac.bicep b/arm/Microsoft.EventGrid/systemTopics/.bicep/nested_rbac.bicep index 7ef6b9d8ff..af15c17cde 100644 --- a/arm/Microsoft.EventGrid/systemTopics/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.EventGrid/systemTopics/.bicep/nested_rbac.bicep @@ -20,15 +20,15 @@ var builtInRoleNames = { 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') } -resource eventGrid 'Microsoft.EventGrid/systemTopics@2021-12-01' existing = { +resource systemTopic 'Microsoft.EventGrid/systemTopics@2021-12-01' existing = { name: last(split(resourceId, '/')) } resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = [for principalId in principalIds: { - name: guid(eventGrid.name, principalId, roleDefinitionIdOrName) + name: guid(systemTopic.name, principalId, roleDefinitionIdOrName) properties: { roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId } - scope: eventGrid + scope: systemTopic }] From dbce546ba92c7ff77e5eae04da13386c2106be2a Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Mon, 28 Feb 2022 10:36:58 +0100 Subject: [PATCH 14/16] update --- arm/Microsoft.EventGrid/systemTopics/deploy.bicep | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/arm/Microsoft.EventGrid/systemTopics/deploy.bicep b/arm/Microsoft.EventGrid/systemTopics/deploy.bicep index 9b20616dbe..74fa779ab9 100644 --- a/arm/Microsoft.EventGrid/systemTopics/deploy.bicep +++ b/arm/Microsoft.EventGrid/systemTopics/deploy.bicep @@ -111,7 +111,7 @@ resource systemTopic 'Microsoft.EventGrid/systemTopics@2021-12-01' = { } } -resource eventGrid_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { +resource systemTopic_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${systemTopic.name}-${lock}-lock' properties: { level: lock @@ -120,7 +120,7 @@ resource eventGrid_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != scope: systemTopic } -resource eventGrid_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { +resource systemTopic_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { name: '${systemTopic.name}-diagnosticSettings' properties: { storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null @@ -133,7 +133,7 @@ resource eventGrid_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@202 scope: systemTopic } -module eventGrid_privateEndpoints '.bicep/nested_privateEndpoint.bicep' = [for (privateEndpoint, index) in privateEndpoints: if (!empty(privateEndpoints)) { +module systemTopic_privateEndpoints '.bicep/nested_privateEndpoint.bicep' = [for (privateEndpoint, index) in privateEndpoints: if (!empty(privateEndpoints)) { name: '${uniqueString(deployment().name, location)}-EventGrid-PrivateEndpoint-${index}' params: { privateEndpointResourceId: systemTopic.id @@ -143,7 +143,7 @@ module eventGrid_privateEndpoints '.bicep/nested_privateEndpoint.bicep' = [for ( } }] -module eventGrid_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { +module systemTopic_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-EventGrid-Rbac-${index}' params: { principalIds: roleAssignment.principalIds From 503bdd8aa0420b772f82203f01d4aa0f80cd7112 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Mon, 28 Feb 2022 10:38:20 +0100 Subject: [PATCH 15/16] update --- arm/Microsoft.EventGrid/systemTopics/deploy.bicep | 3 +++ arm/Microsoft.EventGrid/systemTopics/readme.md | 1 + 2 files changed, 4 insertions(+) diff --git a/arm/Microsoft.EventGrid/systemTopics/deploy.bicep b/arm/Microsoft.EventGrid/systemTopics/deploy.bicep index 74fa779ab9..53996c3bff 100644 --- a/arm/Microsoft.EventGrid/systemTopics/deploy.bicep +++ b/arm/Microsoft.EventGrid/systemTopics/deploy.bicep @@ -160,3 +160,6 @@ output resourceId string = systemTopic.id @description('The name of the resource group the event grid system topic was deployed into') output resourceGroupName string = resourceGroup().name + +@description('The principal ID of the system assigned identity.') +output systemAssignedPrincipalId string = systemAssignedIdentity && contains(systemTopic.identity, 'principalId') ? systemTopic.identity.principalId : '' diff --git a/arm/Microsoft.EventGrid/systemTopics/readme.md b/arm/Microsoft.EventGrid/systemTopics/readme.md index b88c44c450..6a42a7441f 100644 --- a/arm/Microsoft.EventGrid/systemTopics/readme.md +++ b/arm/Microsoft.EventGrid/systemTopics/readme.md @@ -131,6 +131,7 @@ You can specify multiple user assigned identities to a resource by providing add | `name` | string | The name of the event grid system topic | | `resourceGroupName` | string | The name of the resource group the event grid system topic was deployed into | | `resourceId` | string | The resource ID of the event grid system topic | +| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | ## Template references From 3058ab37e25bf2956ef1df1c8a6d43b815954da8 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Wed, 2 Mar 2022 10:04:06 +0100 Subject: [PATCH 16/16] adding ADO pipeline --- .../ms.eventgrid.systemtopics.yml | 52 +++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 .azuredevops/modulePipelines/ms.eventgrid.systemtopics.yml diff --git a/.azuredevops/modulePipelines/ms.eventgrid.systemtopics.yml b/.azuredevops/modulePipelines/ms.eventgrid.systemtopics.yml new file mode 100644 index 0000000000..79d0138395 --- /dev/null +++ b/.azuredevops/modulePipelines/ms.eventgrid.systemtopics.yml @@ -0,0 +1,52 @@ +name: 'EventGrid - System Topics' + +parameters: + - name: removeDeployment + displayName: Remove deployed module + type: boolean + default: true + - name: prerelease + displayName: Publish prerelease module + type: boolean + default: false + +trigger: + batch: true + branches: + include: + - main + paths: + include: + - '/.azuredevops/modulePipelines/ms.eventgrid.systemtopics.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' + - '/arm/Microsoft.EventGrid/systemTopics/*' + exclude: + - '/**/*.md' + +variables: + - template: '/.azuredevops/pipelineVariables/global.variables.yml' + - group: 'PLATFORM_VARIABLES' + - name: modulePath + value: '/arm/Microsoft.EventGrid/systemTopics' + +stages: + - stage: Validation + displayName: Pester tests + jobs: + - template: /.azuredevops/pipelineTemplates/jobs.validateModulePester.yml + + - stage: Deployment + displayName: Deployment tests + jobs: + - template: /.azuredevops/pipelineTemplates/jobs.validateModuleDeployment.yml + parameters: + removeDeployment: '${{ parameters.removeDeployment }}' + deploymentBlocks: + - path: $(modulePath)/.parameters/min.parameters.json + - path: $(modulePath)/.parameters/parameters.json + + - stage: Publishing + displayName: Publish module + condition: and(succeeded(), or(eq(variables['Build.SourceBranch'], 'refs/heads/main'), eq(variables['Build.SourceBranch'], 'refs/heads/master'), eq('${{ parameters.prerelease }}', 'true'))) + jobs: + - template: /.azuredevops/pipelineTemplates/jobs.publishModule.yml